Still (Heart)bleeding: New OpenSSL MiTM Vulnerability Surfaces

The Cupid prototype exploit has surfaced that can use the Heartbleed vulnerability in a new way, over wireless networks

On the heels of the discovery of the Heartbleed bug, arguably the biggest security story of the year so far, OpenSSL has disclosed another serious vulnerability – one that could lead to man-in-the-middle (MiTM) attacks.

Meanwhile, the Cupid prototype exploit has surfaced that can use the Heartbleed vulnerability in a new way, over wireless networks, indicating that OpenSSL concerns are far from resolved.

“A man-in-the-middle attack is like a phone tap; someone breaks into the line you’re using to communicate and is able to get all the information going back and forth,” explained Jonathan Sander, strategy and research officer for STEALTHbits Technologies, in a comment to Infosecurity. “The encryption OpenSSL is supposed to grant you is meant to protect you from that, but when the encryption is broken, the protection is gone.”

Like Heartbleed, the flaw has to do with the implementation of cryptography methods within OpenSSL. Unlike Heartbleed though, the new flaw will likely have a limited scope because the attack can only be performed if the perpetrator has access to both a vulnerable client and a vulnerable server.

“The flaw is certainly less severe than Heartbleed, as a malicious actor must be in control of one of the nodes in between the intended victim and its destination, hence the man-in-the-middle references,” Jean Taggart, security researcher at Malwarebytes, explained to Infosecurity. “This flaw enables forcing the transport layer security (TLS) to dumb down the encryption used to secure the flow of information to unsafe levels, where it can be decrypted, read and even possibly modified.”

OpenSSL has already patched the MiTM flaw. But for some, the main takeaway is the fact that code can never be perfected by human means.

“The continuous stream of vulnerabilities, even in code that is public and reviewed, shows that enterprises must be certain that their infrastructure provides the multi-tiered architecture that is a best practice,” said Steve Hultquist, CIO and vice president of customer success at RedSeal Networks, talking to Infosecurity. “Given the errors we have consistently seen in device configurations, it is critical that automated analysis determine the true state of every device and the overall network to limit the attack surface for active attackers.”

Sander added, “This should serve as more evidence that organizations need to take deep security audits seriously so they know how they are being protected – or not being protected – by the technology they have in place.”

Others said that the disclosure is proof that the open-source collaboration model works.

“Unsurprisingly, security researchers started poring over the OpenSSL source code after the Heartbleed vulnerability,” said Taggart. “We shouldn’t be surprised that there are more flaws in the OpenSSL cryptographic library…It’s often said that security is a process, not a product. The independent code review, subsequent bug discovery and patching process is the strength of open source.”

However, it takes ongoing vigilance to stay ahead of the bad actors. For instance, Luis Grangeia, a Portuguese security researcher, has developed a new attack method called Cupid, which exploits Heartbleed via wireless networks.

"As we often see with many security vulnerabilities, with slight modifications, new attacks can be created,” Fred Kost, vice president of security solutions at Ixia, in an email. “Now with Cupid, the Heartbleed vulnerability can be exploited on wireless connections that use a protocol called EAP.”

Cupid requires that a malicious patch that has been shown to exploit Heartbleed be applied to either a host Linux system or to a Linux endpoint. The patch enables the endpoint or server to launch the new attack based on the original Heartbleed vulnerability, but this time relying on networks using EAO, primarily wireless.

“If a system has a vulnerable version of OpenSSL installed, this is indeed a new attack vector that needs to be tested and protections enabled in security mitigations,” said Kost.